LastPass acknowledges browser extension vulnerability, working on fix (Updated)

Another LastPass vulnerability has been discovered by Google Project Zero hacker Tavis Ormandy. LastPass calls the vulnerability 'unique and highly sophisticated'.
Written by Jake Smith, Contributor on
LastPass browser extension (LastPass)

LastPass on Monday acknowledged a remote code execution vulnerability that affects version 4.1.42 of the LastPass extension on Chrome. (See update below.)

The client side vulnerability was discovered over the weekend by Google Project Zero researcher Tavis Ormandy.

"We are now actively addressing the vulnerability. This attack is unique and highly sophisticated," LastPass wrote in a blog post.

LastPass didn't give specifics about the vulnerability or when a fix may be released, but promised more details when the issue is resolved.

Ormandy previously found exploits in earlier versions of LastPass on March 20, and said it was possible to proxy untrusted messages to LastPass. LastPass updated its users the same day with an incident report that detailed all "extensions have been patched and are being re-released to users".

Ormandy hasn't released details surrounding the latest vulnerability detailed by LastPass on Monday, but said in a tweet it's a new exploit.

Writing in the Project Zero issue tracker on March 20, Ormandy said the version's vulnerability was possible to proxy untrusted messages to LastPass.

"This allows complete access to internal privileged LastPass RPC commands," the researcher said. "There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."

Furthermore, if a user had the LastPass binary component installed, the system was vulnerable to remote code execution.

LastPass is encouraging its users to use LastPass Vault to launch sites directly, be aware of phishing attacks, and enable two-factor authentication where they can.

LastPass was purchased by LogMeIn for $110 million in October 2015.

Update 3/3/2016 - LastPass on Friday said all extensions are now updated with the fix and released to users. The extension update is said to occur automatically, but it can be downloaded direct from LastPass.

"Thus far, there have been no internal or external reports to indicate this bug has been exploited," wrote LastPass.

Top Google Chrome extensions for security, productivity, and privacy (March 2017)

Editorial standards